Finite-key security against coherent attacks in quantum key distribution

4 downloads 107 Views 471KB Size Report
Aug 16, 2010 - ... as discussed in detail in previous works [7–9, 17]. Then we present the new bound extracted from [11]. arXiv:1008.2596v1 [quant-ph] 16 Aug ...
Finite-key security against coherent attacks in quantum key distribution Lana Sheridan,1 Thinh Phuc Le,1 and Valerio Scarani1, 2

arXiv:1008.2596v1 [quant-ph] 16 Aug 2010

1

Centre for Quantum Technologies, National University of Singapore, Singapore 2 Department of Physics, National University of Singapore, Singapore (Dated: August 17, 2010)

The work by Christandl, K¨ onig and Renner [Phys. Rev. Lett. 102, 020504 (2009)] provides in particular the possibility of studying unconditional security in the finite-key regime for all discretevariable protocols. We spell out this bound from their general formalism. Then we apply it to the study of a recently proposed protocol [Laing et al., Phys. Rev. A 82, 012304 (2010)]. This protocol is meaningful when the alignment of Alice’s and Bob’s reference frames is not monitored and may vary with time. In this scenario, the notion of asymptotic key rate has hardly any operational meaning, because if one waits too long time, the average correlations are smeared out and no security can be inferred. Therefore, finite-key analysis is necessary to find the maximal achievable secret key rate and the corresponding optimal number of signals. PACS numbers: 03.67.Dd, 03.67.Ac

I.

INTRODUCTION

Quantum key distribution (QKD) provides a way of distributing secret keys for use in secure communication [1, 2]. Started by Bennett and Brassard in 1984 (BB84, [3]) and by Ekert in 1991 [4], QKD has posed several challenges, both theoretical and experimental, which have been met to a large extent. One of those challenges has been the derivation of security bounds that take into account the finite number N of exchanged quantum signals, i.e. the finite size of the keys one has to work with. The tools for such a study were remarkably anticipated by Mayers in his very first unconditional security proof [5], but for several reasons the full solution was delayed by more than 10 years. Hayashi’s formalism [6] was tailored for the BB84 protocol. The approach by Renner and one of us [7–9] is in principle more flexible but is limited to collective attacks in general: unconditional security could be claimed only for BB84 and those other few protocols, in which the bound for collective attacks is known to coincide with the one for the most general attacks [10]. Recently, Christandl, K¨onig and Renner developed some very general mathematical tools [11], one of whose applications is the derivation of finite-key bounds for any discrete-variable protocol (for the status of the question in continuous-variable protocols see [12]). In this paper, we spell out explicitly the method to compute the finite-key QKD bound described in [11]. This new tool can be used to compute unconditional security bounds in the finite-key regime for protocols like Bennett 1992 (B92 [13]), Scarani-Ac´ın-Ribordy-Gisin 2004 (SARG04 [14, 15]) or protocols based on the violation of Bell’s inequalities [16, 17]. As an application, we have rather chosen the reference frame independent protocol proposed by Laing et al. [18]. This protocol is useful in situations, in which the alignment of reference frames between Alice and Bob is not monitored and may vary in time. In this study we consider the finite key analysis of this protocol, in light of the fact that the reference frames relations in these scenarios will not only be unknown, but may also be fluctuating over the course of the protocol. Under these assumptions, one must find that optimal secret key rates are reached for a finite number of signals: if Alice and Bob wait too long time, their correlations will be smeared due to the misalignment of the frames. The paper is arranged as follows. In Section II we present the new method for finite key analysis against coherent attacks. In Section III, we use this method to analyze the reference frame independent protocol for two cases of drifting phase references: firstly, one frame rotating at constant speed relative to the other; secondly, the angle between the frames fluctuating according to a random walk. Lastly, in Section IV the implications of the results are considered.

II.

FINITE KEY ANALYSIS METHOD

We start by summarizing the notations and the bound for collective attacks, as discussed in detail in previous works [7–9, 17]. Then we present the new bound extracted from [11].

2 A.

Notations and bound for collective attacks

Let N be the number of signals sent by Alice that are received by Bob. In addition to the error rate in the raw key, denoted Q, the protocol uses nPE parameters V = {v1 , ..., vnPE } to bound Eve’s information. For simplicity, we consider asymmetric protocols [19], in which n signals are used to create the raw key, while other signals are used to estimate the other parameters (the secret key rate for the symmetric protocol is larger by nPE + 1 at most and becomes the same in the asymptotic limit). The number of signals devoted to estimating vj is written mj . Let now εP A be the probability that privacy amplification fails, and εPE the probability that the real value of a parameter lies outside of the chosen fluctuation range. There is a third error probability, denoted ε¯, which measures the accuracy of estimation of the smooth min-entropy. Finally, there is a probability εEC that error correction fails, which is determined by the choice of the error correction code. Because of the composability of the bound, in the worst case, the probability εcol that the quantum key distribution protocol fails does not exceed the sum of the probabilities of failure in different phases of the protocol: εcol = εPA + ε¯ + nPE εPE + εEC .

(1)

The user can choose εcol and εEC ; the other parameters can be optimized under the constraint (1). If the key alphabet is made by d-valued symbols, the secret key fraction against collective attacks is given by r n h 1 2 2 1 log(2/¯ ε) i min H(A|E) − H(A|B) − log − log − (2d + 3) , (2) rN,coll = N E|V±∆V(εPE ) n εEC n εPA n where we are assuming that the yield of the error correction protocol is perfect, to reach the Shannon limit, H(A|B).

B.

Beyond collective attacks

Previous works [7–9] used the bound above to claim unconditional security for the BB84 and the six-state protocols, as well as for their natural high-dimensional generalizations, because for those protocols the bound for collective attacks coincides with the one for coherent attacks [10]. But, for protocols using a less symmetric encoding, there is no guarantee that this is the case. The most general attacks are impossible to parametrize. Therefore, the generic recipe for unconditional security consists, in a nutshell, in bounding the possible advantage of coherent attacks over the collective ones, then computing the bound for collective attacks with the suitable overhead terms. The first such approach used the exponential de Finetti theorem [20, 21]. This theorem bounds the distance (n) between any state ρAB that leads to permutationally invariant statistics for Alice and Bob, and n-fold product ⊗n states σAB (or mixtures thereof), i.e. exactly the states that a collective attack would produce. The overhead obtained by this theorem turns out to be very heavy, so much so that it would make finite-key bounds unrealistically pessimistic (Figure 2). This fact was stressed already in [7], but the explicit expressions and results were not given, so we present them in Appendix A. The de Finetti theorem is tight if one wants to compare the attacks at the level of the states. Christandl, K¨ onig and Renner [11] noticed that, for the sake of QKD and other quantum information processing tasks, a much less refined comparison is actually sufficient. They found that it suffices to consider the distance between two permutation invariant maps and how this distance changes when acting on states that result from a general attack rather than on states from resulting from a collective attack. The maps are the one describing the QKD protocol being implemented and an idealized scheme which takes any quantum state as an input and distributes two classical perfectly correlated random strings to Alice and Bob. See Figure 1. In summary: let us fix εcoh as the tolerable failure probability of the secret key against coherent attacks. Then, the resulting expression for the secret key rate is rN = rN,coll −

2(d4 − 1) log(N + 1) N

(3)

3 ½AB

sifting

E : parameter estimation error correction privacy amplification

F= S ± E

S`A

S :

S'`A

S`B

creates perfect key

S'`B

=

FIG. 1: Consider the distance, ∆, between the permutation invariant maps E, implementing the QKD protocol, and F = S ◦ E, where the map S is a hypothetical process that takes an imperfect key to a perfect one. This distance can be found when the maps act on the de-Finetti-Hilbert-Schmidt state, which describes the case for collective attacks, and the increase in ∆ can be bounded when the same two maps act on an arbitrary state, the case for coherent attacks. This model is from [11].

where the bound for collective attacks (2) is computed under the constraint (1) for the security parameter 4

εcol = εcoh (N + 1)−(d

−1)

.

(4)

The improvement that this technique gives over the use of the exponential de Finetti theorem is illustrated in Figure 2. For the BB84 protocol the optimal coherent attack is a collective attack and therefore the line (a) is the best bound for security. However, if that were not known to be the case, the post-selection technique gives a bound close to the optimal one; whereas the bound obtained using the de Finetti is substantially worse and would imply the practical impossibility of obtaining a key in QKD.

III.

CASE STUDY: REFERENCE FRAME INDEPENDENT PROTOCOL A.

Review of the Protocol

We briefly describe the reference frame independent protocol [18]. In the prepare and measure scenario, Alice sends to Bob a qubit prepared in an eigenstate of three mutually unbiased bases {XA , YA , ZA } chosen at random but not necessarily with the same probability. Bob then receives a qubit which may be tampered by Eve and measures in his own basis chosen among a possibly different set of mutually unbiased bases {XB , YB , ZB }. The equivalent entanglement based version is that Alice and Bob receive a pair of entangled qubits in a state ρAB which is |Φ+ i in the ideal case, and perform the local measurements defined by the above-mentioned bases on them. The measurements can be described by a vector in the Bloch sphere which we will refer to by direction. Unlike usual protocols, where the reference frames orientations are actively monitored using the classical channel, this protocol requires one well defined direction ZA = ZB while the other two directions are related by an unknown

4 0.45 0.4

Secret key fraction

0.35

BB84 for 3 bounds ¡ = 10ï5 Q = 5%

0.3 0.25

(a)

0.2

(b)

(c)

0.15 0.1 0.05 0 4 10

10

6

8

10

10

10 Number of signals

12

10

14

10

16

10

FIG. 2: Secret key fraction for BB84 vs. the number of signals N for 3 different finite analysis bounds (a) collective attacks, (b) the post-selection technique, and (c) the exponential de Finetti theorem.

transformation XB = cos βXA + sin βYA , YB = cos βYA − sin βXA .

(5)

At the end of the signal exchange phase, they reveal their bases. This protocol is intrinsically asymmetric, in that the different bases play different roles. The raw key consists of the cases where both have measured in the Z basis, and is characterized by the quantum bit error rate Q=

1 − hZA ZB i . 2

(6)

Eve’s information is quantified by the parameter C = hXA XB i2 + hXA YB i2 + hYA XB i2 + hYA YB i2 ≤ 2

(7)

where C = 2 guarantees maximal entanglement. Note that four measurements are needed to estimate C, so the actual parameters that are measured are v1 = hXA XB i , v2 = hXA YB i , v3 = hYA XB i , v4 = hYA YB i .

(8)

The expression (7) has been chosen because it is independent of β: it retains its value even if Alice’s and Bob’s frames are misaligned. In the asymptotic limit, the information that Eve can gain from coherent attacks is upper bounded by     1 + umax 1 + v(umax ) IE (Q, C) = (1 − Q)h + Qh (9) 2 2 where umax

"p # C/2 1p = min , 1 , v(umax ) = C/2 − (1 − Q)2 u2max 1−Q Q

(10)

and h(x) is the binary entropy. This result holds in the range 0 ≤ Q . 15.9%, which is perfectly reasonable for the quality of optical lines.

5 Obviously, this protocol becomes of interest if β varies in time: if the frames are possibly misaligned but are guaranteed to be fixed in time, one would just align them once and for all. However, it takes time to collect enough data to estimate the four average values that enter the expression of C: the misalignment of the frames during this time leads to a smearing of the correlations and the consequent decrease of C. In particular, if one waits to accumulate a very large number of signals, C will ultimately drop so much that no security can be inferred: in other words, the asymptotic rate (9) somehow assumes not only that infinitely many signals can be collected, but also that β is fixed. In all meaningful situations, not only the realistic secret key rate, but also the optimal one must be determined by finite-key analysis. This is the object of what follows.

B.

Computing the finite-key bound

Let us particularize the parameters that enter the finite-key bound (3) to the protocol under study. We denote by pZ the probability that Alice and Bob choose the key basis Z; we assume that the other two bases are chosen with equal probability pX = pY = 1 − 2pZ ≡ p. So the raw key consists of n = N pZ2 signals, while each of the correlators vj is estimated using m = N p 2 signals. The quantity minE|V±∆V(εPE ) H(A|E) is given by 1−IE (Q0 , C 0 ) where Q0 and C 0 would be the perfect estimates, which are related to the observed values (Q, C) by assuming the worst case fluctuations, i.e. by increasing the error Q and reducing the correlations vj . Specifically, Q0 = Q + δ(n) and vj0 = vj − δ(m) where r ln(1/εPE ) + 2 ln(k + 1) δ(k) = . (11) 2k As in previous works we us the the Law of Large Numbers as presented in Cover and Thomas, Theorem 11.2.1 [22]. Other estimates have been studied [23]. Finally, H(A|B) = h(Q) where the expression is a function of the observed Q and not Q0 : the EC code must correct only the errors that have actually happened. At present, we have everything: one just has to choose the desired security level εcoh , give the values of N , εEC , Q and C, then maximize rN over the other parameters under the constraints (1) and (4). As anticipated, we are going to study the effects of the time variations of β.

C.

Dynamics of C for varying β

The real evolution of β during the protocol is, by definition, unknown: its monitoring would provide the information needed to align the frames. But in order to design a protocol and choose the suitable parameters, one must make a guess of how this evolution will be. This prior guessing is not proper to this protocol: it is a general necessity when one wants to make estimates before running the experiment (for a full discussion, see paragraph 2.3 in [8]). Let us start by rewriting (5) and (8) as v1 (t) = v1 (0) cos β(t) + v2 (0) sin β(t) , v2 (t) = v2 (0) cos β(t) − v1 (0) sin β(t) , v3 (t) = v3 (0) cos β(t) + v4 (0) sin β(t) , v4 (t) = v4 (0) cos β(t) − v3 (0) sin β(t) .

(12) (13)

These are the “instantaneous values”, i.e. the correlations that one would observe by freezing the frames at time t. Now, for simplicity we assume that the N signals one is going to collect are equally spaced in time with an interval τ . Then the observed correlations over the time TN required to collect the N signals will be given by PN −1 v¯j (TN ) = N1 k=0 vj (kτ ). In other words, denoting N −1 1 X iβ(kτ ) e ≡ c¯N + i¯ sN , N

(14)

k=0

the v¯j (TN ) are just the vj (t) with cos β(t) replaced by c¯N and sin β(t) replaced by s¯N . It is also easy to verify that the observed value of C will be  C(TN ) = C(0) c¯2N + s¯2N : (15)

6 the quality of the initial correlations is captured by C(0) and is factored out from the smearing due to the variations of β. Let us particularize now for two possible dynamics: • The frames drift apart at a constant angular velocity θ(t) = ωt. Then 1 1 − eiθN with θ = ωτ . N 1 − eiθ

c¯N + i¯ sN =

(16)

This leads in particular to C(TN ) = C(0)

1 − cos(θN ) . N 2 (1 − cos θ)

(17)

)) . As θ → 0, the continuous sampling limit is recovered of C(TN ) = C(0) 2(1−cos(θN (N θ)2

• The relative angle is following a random walk behavior: β changes by ±θ randomly in the time τ . One is led to compute the average value of the sine and cosine of a random walk, i.e. N/2

X

c¯N + i¯ sN =

eiθ(2k) PN (2k) = (cos θ)N

(18)

k=−N/2

where PN (d) = to

N 1 2N (N +d)/2



is the probability of travelling a distance d ∈ {−N, ...N } in N steps. This leads C(TN ) = C(0) (cos θ)2N .

(19)

In both cases, of course, C(TN ) goes to zero for large N . The effect of this smearing on the finite-key secret key rate is shown in Figure 3. 0.35

0.35 ï5

¡ = 10 Q = 5%

0.3 (b)

0.25

Secret key fraction

Secret key fraction

0.3

0.2 0.15 0.1

(b)

0.25 0.2 0.15 (c)

0.1

(a)

0.05

0.05 0 4 10

ï5

¡ = 10 Q = 5%

6

10

10

8

10

12

10 10 Number of signals

14

16

10

10

0 4 10

6

10

8

10

10

12

10 10 Number of signals

14

10

16

10

dθ π FIG. 3: Secret key fraction for (a) the frames drifting apart at constant angular velocity with dN = 180 × 10−10 , (b) fixed dθ π frames, (c) one frame drifting relative to the other according to a random walk with the different rate of dN = 180 × 10−5 −5 per step. The for both plots security parameter is  = 10 , C(0) = 1.72, and Q = 5%.

IV.

CONCLUSION

We have studied the application of the post-selection technique of [11] to QKD protocols in finite-key scenarios to extend security bounds for collective attacks to bounds for coherent attacks. We have compared it explicitly

7 to the bounds recovered for finite keys using the de Finetti theorem. We demonstrate how to compute this new bound by applying it to the reference frame independent protocol of [18]. In addition, we have considered two physically plausible scenarios for the case of unaligned reference frames: that one frame may be rotating relative to the other, or that one frame may be executing a random-walk-type drift relative to the other. The most prominent feature in these two cases is that the asymptotic limit does not give the best key fraction. This can be seen in Figure 3. The reason is that the longer we collect the signals, the lower the value of the security parameter C becomes. For a fixed ω or θ, there exists an optimal block of size N to obtain the best secret key fraction. If more key is required, the protocol should be terminated and restarted after each block. Hence any practical application of the reference frame independent protocol should aim for this optimal number of signals to be exchanged in a run of key distribution.

Acknowledgements

The authors would like to thank Matthias Christandl and Renato Renner for helpful discussions. This work was supported by the National Research Foundation and the Ministry of Education, Singapore.

[1] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002). [2] V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dusek, N. Lutkenhaus, and M. Peev, Rev. Mod. Phys. 81, 1301 (2009). [3] C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing (IEEE, New York, 1984), pp. 175–179. [4] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). [5] D. Mayers, in Advances in Cryptology — Proceedings of Crypto ’96 (Springer Verlag, Berlin, 1996), p. 343. [6] M. Hayashi, Phys. Rev. A 76, 012329 (2007). [7] V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008). [8] R. Y. Cai and V. Scarani, New J. Phys. 11, 045024 (2009). [9] L. Sheridan and V. Scarani (2010), arXiv:1003.5464. [10] B. Kraus, N. Gisin, and R. Renner, Phys. Rev. Lett. 95, 080501 (2005). [11] M. Christandl, R. K¨ onig, and R. Renner, Phys. Rev. Lett. 102, 020504 (2009). [12] A. Leverrier, F. Grosshans, and P. Grangier, Phys. Rev. A 81, 062343 (2010). [13] C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992). [14] V. Scarani, A. Ac´ın, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004). [15] C. Branciard, N. Gisin, B. Kraus, and V. Scarani, Phys. Rev. A 72, 032301 (2005). [16] A. Ac´ın, S. Massar, and S. Pironio, New J. Phys. 8, 126 (2006). [17] V. Scarani and R. Renner, in Proceedings of TQC2008, Lecture Notes in Computer Science 5106 (Springer Verlag, Berlin, 2008), pp. 83–95. [18] A. Laing, V. Scarani, J. G. Rarity, and J. L. O’Brien, Phys. Rev. A 82, 012304 (2010). [19] H.-K. Lo, H. Chau, and M. Ardehali, J.Cryptology 18, 133 (2005). [20] R. Renner, Int. J. Quant. Inf. 6, 1 (2008). [21] R. Renner, Nature Physics 3, 645 (2007). [22] T. M. Cover and J. A. Thomas, Elements of Information Theory (Wiley Interscience, 2006), 2nd ed., ISBN 9780471241959. [23] Y. Sano, R. Matsumoto, and T. Uyematsu (2010), arXiv:1003.5766.

Appendix A: De Finetti

Here we consider the bound which can be derived from using the de Finetti bound when using d-dimensional systems following the results of [20]. Now, of the sifted signals Ns , m will be used for parameter estimation and k systems are traced over to make use of the de Finetti theorem by bounding the remaining systems to have been very close to a mixture of product states σ ⊗n . Thus, n = Ns − m − k is the number of remaining systems that can be put towards the key, but since

8 it is not yet secure, this is the raw key. |θi Let the state ρ¯n be the permutationally invariant output of a quantum key distribution protocol. Because the |θi state ρ¯n is in general not exactly of product form, for any |θi, it is a pure state of the symmetric subspace of H⊗n P |θi ⊗n−t such that ρ¯n = π |θi ⊗ |φit , where the sum is over all permutations, π, for some t such that 0 ≤ t ≤ m/2. |θi In some sense, t can be thought of as quantifying the distance that the state ρ¯n is from the perfect pure n-fold product state. So we can now introduce an error, εdeF , that parameterizes t: εcoh = εPA + ε¯ + nPE εPE + εEC + εdeF .  where t = Nks 2 ln(2/εdeF ) + d4 ln(k) [20]. The maximum error in the parameter estimation, assuming m samples, is now: s   1 ln(1/εP E ) + d ln(m/2 + 1) t δ(m) = + (1 + ln 2) h d−1 m m

(A1)

(A2)

where k is optimized over. We see then that if k is larger, t can be smaller (the form of the raw key state can constrain Eve to collective attacks more closely), however, this reduces the size or the raw key, so there is a trade-off. The term giving the privacy amplification correction is also modified [20], so that the final rate is given by n h 1 2 rN,coh,deF = min H(A|E) − H(A|B) − log (A3) N E|V±∆V(εPE ) n εEC  r i 5 2 log(2/¯ ε) 2 2 d+4 + h(t/n) . (A4) − log(1/εP A ) − (m + k) log(d ) − n n 2 n These expressions can be used in equation (2) to get a bound for coherent attacks.

Appendix B: Derivation of Eqs. (3) and (4) from Ref. [11]

General coherent attacks can be bounded in terms of collective attacks for general permutation invariant protocols by using the method introduced in [11]. First, it is usually easier to prove that a protocol is secure against collective attacks than coherent ones, so the problem is approached for a particular state, the de-Finetti-Hilbert-Schmidt state τAN B N , which represents the mixture over states that could be held by Alice and Bob after Eve makes a collective attack. This state is defined as: Z ⊗N τAN B N = σAB dHS σAB (B1) where dHS is the measure induced by the Hilbert-Schmidt metric, ∆HS (X − Y ) = kX − Y kHS and kXk2HS = Tr(X † X). Let E be the actual protocol for which security is to be proven and F be an ideal key-generation protocol composed of the actual protocol E and a map S that takes classical inputs and outputs a perfectly random perfectly correlated key string, i.e. F = S ◦ E that for any inputs gives Alice and Bob the output of an ideal key. (See Figure 1.) The main theorem of [11] guarantees the security of this protocol against any coherent attack 4

∆(E, F)ρ ≤ (N + 1)d

−1

∆(E, F)τ ,

(B2)

where ∆(E, F)ρ and ∆(E, F)τ are the diamond-norm distances between the protocols for arbitrary states ρ and the de-Finetti-Hilbert-Schmidt state τ respectively, and N is the number of signals or subsystems each with dimension d2 (bipartite qudits shared by Alice and Bob). Since ρ is an arbitrary state it can correspond to an arbitrary quantum-mechanically-allowed attack by Eve.

9 In order to find the secret key fraction for finite length keys, it is also necessary to consider the effect of Eve’s possession of the purification of ρAN B N . This is already considered for collective attacks when the min-entropy of Alice’s information given Eve’s, Hmin (A|E), is used to bound the secret key fraction. Let HE be the system Eve holds that purifies σAB . (See Figure 4.) Now it is necessary to also include the extra information R ⊗N she may have as a result of holding the purification of the mixture of the state on N systems τA0 N B N E N = σABE d(σABE ) where d(·) is the Haar measure over pure states, σABE . Let the purification of this N -system state be on the Hilbert ε¯ space HE 0 . So now we must consider Hmin (AN |E N E 0 ) in the equation for the secret key fraction. We use the entropy bound ε¯ ε¯ Hmin (AN |E N E 0 ) ≥ Hmin (AN |E N ) − 2H0 (E 0 ).

(B3)

4

A space of dimension no more than (N + 1)d −1 is needed to construct such a purification and so HE 0 cannot   4 contain more than log (N + 1)d −1 bits of information. We therefore subtract twice this from the available entropy and divide by the number of signals N to obtain equation (3).

¾ABE

A

B E

£ N copies A

B E

A

B E

A

B E

E'

½AN BN EN E' FIG. 4: Eve’s Hilbert space E purifies each entangled system space held by Alice and Bob. The remainder of Eve’s space E 0 purifies the state τ 0 on N systems which is a mixture over the possible pure product states σABE .

So, the post-selection technique gives another way to relate a bound that can be shown for collective attacks to a bound for an unknown optimal coherent attack, provided that there is a bound on the dimension of the systems being exchanged d. In other words, this result just as the de Finetti theorem cannot be used as such for continuous variables.